Tuesday, January 26, 2010

Is anyone calling espionage by means of computers cyber-espionage yet? I hope not. At least they shouldn't call it cyber war.

Two news stories of computerized espionage reached me today.

The first, regarding the Oil industry, was sent by Marc Sachs to a SCADA security mailing list we both read. The second, about the hotel industry, was sent by Deb Geisler to science fiction convention runners (SMOFS) mailing list we both read.

At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.

Starwood's claim points to a "mountain of undisputed evidence," including e-mails among Hilton senior management, that Klein and Lalvani worked with others within Starwood to steal sensitive documents by sending them via personal e-mail accounts, among other methods, and that such information was shared and used by all of Hilton's luxury and lifestyle brands, as well as in the development of Hilton's now-shelved Denizen brand. In the new filing, Starwood says, "This case is extraordinary, and presents the clearest imaginable case of corporate espionage, theft of trade secrets, unfair competition and computer fraud...Hilton's conduct is outrageous."

As to whether China is involved, maybe. But the automatic blaming has got to stop. Many other countries have been known to be conducting corporate espionage, such as France, and as the second story above shows, so do corporations themselves.

Sunday, January 24, 2010

My friend Bill Brenner, editor of CSO Magazine, just warned friends in his Facebook status message that someone may be trying to get them to add an application to their wall by using his name.

Bill Brenner: Some cyber-dope is apparently trying to use my name to infect your machine with the message "Bill Brenner has posted something on your wall." Do not click on it. It's a trick. Repeat: If you get a bunch of messages from me saying I posted something called "news feed" on your wall, do not allow the app access.

I don't know if this is targeted against Bill (if so, congratulations Bill! Your made it!) or if a malicious app is using names of friends to get people to add it. But this is certainly an interesting development.

Bill, stay strong and ignore. I passed it over to Facebook security. And people, remember to be careful of what you click on!

Saturday, January 23, 2010

Microsoft has put a lot into securing its code, and is very good at doing so. However, is it doing enough?

My main argument is about the policy of handling vulnerabilities for 6 months without patching (such as the Google attacks 0day apparently was) and the policy of waiting a whole month before patching this very same vulnerability when it first became an in-the-wild 0day exploit (it has now been patched, ahead of schedule).

Microsoft is the main proponent of responsible disclosure, and has shown it is a responsible vendor. Also, patching vulnerabilities is far from easy, and Microsoft has done a tremendous job at getting it done. I simply call on it to stay responsible and amend its faulty and dangerous policies. A whole month as the default response to patching a 0day? Really?

With their practical monopoly, and the resulting monoculture, perhaps their policies ought to be examined for regulation as critical infrastructure, if they can't bring themselves to be more responsible on their own.

This is the first time in a long while that I find it fit to criticize Microsoft on security. Perhaps they have grown complacent with the PR nightmare of full disclosure a decade behind them, with most vulnerabilities now "sold" to them directly or indirectly by the security industry.

CERN put the Large Hadron Collider through some rigorous tests, and apparently at first some of the Siemens manufactured SCADA systems failed. While they are apparently better now, and I am happy to see how serious CERN is about security, this does beg the question.... WAIT! You mean it's connected to the Internet? I suddenly don't feel so safe.

Protection against external access
‘Redundant installations such as the Simatic S7-400H fault-tolerant type of controllers may offer a high degree of operational safety. But who can guarantee that no one will take over the controller, crash it and compromise its security?’ asks Dr. Stefan Lüders from the computer security team of the IT department at CERN. ‘Most controllers, field devices and even actuators are now directly connected to Ethernet.’

The team led by Dr. Lüders therefore developed a special test bench for dedicated examination of the vulnerability of controllers, SCADA (Supervisory Control and Data Acquisition) systems and other Ethernet-connected devices in the market to cyber-attacks. This not only relates to protection against hackers with more or less criminal intent, but also against viruses and worms that can be introduced through a variety of channels—including USB sticks and CF cards. In contrast to the usual patches that can be installed in an office environment, controllers cannot be easily updated daily with the latest antivirus protection, even if it is available.

As part of the validation of controllers used at CERN, at the test bench on Control System Security at CERN (TOCSSiC), 31 devices from seven manufacturers were systematically tested for penetration resistance with the vulnerability scanners Nessus and Netwox. Taking all different firmware versions into account, this led to 53 tests in total. In addition to interference through overload (Denial of Service, DoS), the tests also included provoked attacks on vulnerabilities in operating systems by infiltration of malicious software and ‘malicious’ manipulation of TCP/IP-based protocols. About one third of the tested devices failed these tests and has shown severe security problems.

Approximately one third of the devices came from the Simatic S7 product series, some with an integrated Ethernet interface, some with separate communication processors, such as the CP 343-1 Lean for the S7-300 series.

The poor test results led to a ‘very productive interaction with Siemens’ and ultimately made ‘Simatic controllers significantly more secure over the years; now they meet the stringent requirements at CERN,’ summarises Dr. Lüders.

The company that operates the billboards, Panno.ru, said hackers were behind a graphic sex video broadcast late Thursday night on two roadside screens along Moscow's Garden Ring Road, one of the city's busiest arteries.

"This was an attack by hackers on the computers, as a result of which one of the commercial video clips was swapped for an indecent video," Panno.ru commercial director Viktor Laptev told RIA-Novosti.

Friday, January 15, 2010

Many news sources are reporting on how Google and other corporations were hacked by China.

The reports, depending on vendor, blame either PDF files via email as the original perpetrator, or lay most of the blame on an Internet Explorer 0day.

Unlike my colleagues (save for the ones reporting), I rather not discuss this too much before more data is available.

Regardless of what really happened, which I hope we will know more on later, these things are clear:

1. Unlike GhostNet, which showed an interesting attack, but unfortunately many of us jumped to conclusions without evidence that it was China behind them -- based on Ethos alone I'd like to think that when Google says China did it, they know. Although being a commercial company with their own agenda, I am saving final judgement.

2. The 0day disclosed here shows a higher level of sophistication, as well as m.o. which has been shown to be used by China in the past.

3. If this was China, which some recent talk seems to make ambiguous, but still likely; they would have more than just one weapon in their arsenal.

4. This incident has brought cyber security once again to the awareness of the public, in a way no other incident since Georgia has succeeded, and to political awareness in a way no incident since Estonia has done.

Tuesday, January 12, 2010

Many in the security community are continually annoyed with the TSA and air safety, mumbling security theater this and idiots that. Following the undies bomber incident, these mumbling turned into rumblings, and then into a "let's get back at the TSA" joking spree, which I was more than happy to jump ahead of.

And indeed, folks on the funsec mailing list had some fun with it.
phester wrote:

I've considered carrying a bag of dildoes when I fly. I imagine a conversation something like this;

TSA: What's this?!?

Me: A bunch of dildoes.

TSA: Why are you carrying a bunch of dildoes?

Me: It makes me feel safe.

TSA: How does a bunch of dildoes make you feel safe?

Me: I've been asking the same thing since they created the TSA.

This was indeed fun, and we had a good laugh. Erik Harrison replied with the often quoted TSA joke:

TSA: "Nine times out of ten, it's an electric razor but, every once and a while, it's a dildo. Of course, it's company policy never to imply ownership in the event of a dildo. We have to use the indefinite article. A dildo, never your dildo."

After a bit more fun, I responded seriously:

If it was me, I would say it was my dildo every time. It would be interesting to see their faces, but more importantly, if it's not mine, it might be a terrorist who put it in my bag. Bad idea: an exploded bag, a cavity search and 3 hours to 3 days later...

But more than the TSA not having a sense of humour, this is really about respect, and about understanding that they can take no chances with you not being serious:

It's great to joke about, but not to practice as a joke. As I said earlier, bad idea.

Don't mess with:
1. People trying to do their jobs.
2. People who are on alert for criminals and terrorists.
3. People who have the power to arrest you.
4. People who have guns to do their job.
and:
5. People who are forced to check you completely with the mere mention of a joke, as it might not be a joke.

All-in-all, we had a good time playing with this, but we should all keep in mind that regardless of what we may think of the TSA and others around the world, some jokes are just not worth the price of a cavity search -- or at the very least 10 more minutes in line.

I have been interested in human communication for a while now, be it debate and rhetoric on the one hand, or social/non-verbal psychology and persuasion on the other. I often come across links of interest, and share them with friends. Or have thoughts on the subject and share them here.

I decided that with the effort of emailing out links, I can also easily blog them. And so, I started a new blog on this subject matter, to specifically post links to interesting news stories and comic strips.

Friday, January 08, 2010

This is a story about a contest to put Trojan horses on chips. Very interesting from an hardware hacking perspective, as well as a trusting trust and supply chain security perspective.

5 January 2010—In November, engineering students from five top universities gathered at the Polytechnic Institute of NYU, in Brooklyn, N.Y., for the Embedded Systems Challenge. The aim was to test new attacks and defenses against an underappreciated breed of Trojan horse—embedded malware built into integrated circuits.

The winning team’s results, set to appear in journals and at conference proceedings in 2010, reveal how vulnerable many systems are to "chip attacks" The contest also demonstrated the high degree of technical sophistication required for these attacks, making it more likely that attackers will pursue specialized applications, such as sensitive military equipment or high-security financial computers. Attacking Dad’s new Windows 7 PC probably isn’t worth the extreme investment of time and money—especially when cheaper and quicker phishing and software-based malware attacks still work all too well.